When Console Login is enabled on macOS, any user at the Login Screen can type >console to bypass the graphical login interface and access a text-based console session. Disabling this through the Login Window Device Setting ensures the console is only accessible to users who are already logged in, reducing the risk of unauthorized access.
How to Configure the Device Setting
- Navigate to Catalog > Device Settings and click New.
- Select Login Window from the settings list.
- Enter a Payload Name to identify the Device Setting.
- Click the Options tab.
Check the box next to Enable console login to include the key in the payload, then make sure the Enable console login toggle is unchecked (disabled).
- Click Create Profile, then assign it to the appropriate policy and deploy.
Note: The outer checkbox (Include) adds the setting to the payload. The inner checkbox controls whether console login is enabled or disabled. To disable console login, the outer box must be checked and the inner box must be unchecked.